Menu
▾
▴
Re: [Snort-inline-users] Snort_inline which version to use
|
From: Will M. <wil...@gm...> - 2004-10-29 03:19:13
|
Pawel, Off the top of my head I would say go with snort_inline-2.2.0 and snort-2.2.0, we actually added mysql support into 2.1.3 but added proper state tracking via stream4 and iptables marks in 2.2.0(see doc/README.INLINE). As far as the preprocs go look at the default snort_inline.conf it should give you a good base config to start off with. Don't really know any great articles on the subject of preprocs and rule language, but I would suggest that you take a look at the snort users manual http://www.snort.org/docs/snort_manual/ or pick up a copy of the syngress book SNORT 2.1 Intrusion Detection. Hope this helps..... Completely off topic, would anybody like to see an ssl-decryption preproc? Obviously you would only be able to decrypt traffic bound to servers for which you possess the private keys, in addition we would need figure out some way to securely store these key's in escrow. Just a thought Victor Julien and I have been kicking around. Regards, Will Regards, Will On Thu, 28 Oct 2004 19:27:33 -0500, Pawel Czarnota <pc...@ui...> wrote: > > Hey all, > I am trying to decide which version of snort_inline to use on a Honeywall. I > need something that will work with Open Wall Linux and that has all major > bugs fixed (needs to be very secure). It also should have mysql support. The > Honeywall will act as a bridge. Which version would be recommended? Also, > which pre-processors should be enabled for use on an actual Honeywall (At > this point none of our members know anything about the pre-processors and > little about rules)? If someone can point me to good online articles about > these I'd appreciate it. Finally, should I install the same version of snort > that snort_inline will be, or are there any advantages of using different > versions for each one. Thanks > > Pawel Czarnota > ACM Honeynet Project Leader > http://cs.uic.edu/~pczarno1 > University of Illinois at Chicago > |
